fixing bug #28974 : overflow in array_slice()

The same kind of overflow appeared in array_splice(), substr() and substr_replace()
2024-11-28 12:26:37 +08:00 · 2004-07-11 21:15:04 +00:00 · 2004-07-11 21:15:04 +00:00 · 0eef82a733
commit 0eef82a733
parent 0e8de752fd
3 changed files with 95 additions and 6 deletions
--- a/ext/standard/array.c
+++ b/ext/standard/array.c
@ -1746,7 +1746,7 @@ HashTable* php_splice(HashTable *in_hash, int offset, int length,
 	/* ..and the length */
 	if (length < 0) {
 		length = num_in-offset+length;
-	} else if (offset+length > num_in) {
+	} else if (((unsigned) offset + (unsigned) length) > num_in) {
 		length = num_in-offset;
 	}

@ -2125,7 +2125,7 @@ PHP_FUNCTION(array_slice)
 	/* ..and the length */
 	if (length_val < 0) {
 		length_val = num_in-offset_val+length_val;
-	} else if (offset_val+length_val > num_in) {
+	} else if (((unsigned) offset_val + (unsigned) length_val) > num_in) {
 		length_val = num_in-offset_val;
 	}
 	
--- a/ext/standard/string.c
+++ b/ext/standard/string.c
@ -237,7 +237,7 @@ static void php_spn_common_handler(INTERNAL_FUNCTION_PARAMETERS, int behavior)
 		}
 	}
 	
-	if ((start + len) > len1) {
+	if (((unsigned) start + (unsigned) len) > len1) {
 		len = len1 - start;
 	}

@ -1901,7 +1901,7 @@ PHP_FUNCTION(substr)
 		RETURN_FALSE;
 	}

-	if ((f + l) > Z_STRLEN_PP(str)) {
+	if (((unsigned) f + (unsigned) l) > Z_STRLEN_PP(str)) {
 		l = Z_STRLEN_PP(str) - f;
 	}

@ -1998,7 +1998,7 @@ PHP_FUNCTION(substr_replace)
 				}
 			}

-			if ((f + l) > Z_STRLEN_PP(str)) {
+			if (((unsigned) f + (unsigned) l) > Z_STRLEN_PP(str)) {
 				l = Z_STRLEN_PP(str) - f;
 			}
 			if (Z_TYPE_PP(repl) == IS_ARRAY) {
@ -2094,7 +2094,7 @@ PHP_FUNCTION(substr_replace)
 				}
 			}

-			if ((f + l) > Z_STRLEN_PP(tmp_str)) {
+			if (((unsigned) f + (unsigned) l) > Z_STRLEN_PP(tmp_str)) {
 				l = Z_STRLEN_PP(tmp_str) - f;
 			}

--- a/ext/standard/tests/array/bug28974.phpt
+++ b/ext/standard/tests/array/bug28974.phpt
@ -0,0 +1,89 @@
+--TEST--
+Bug #28974 array_(p)slice() treats large lengths incorrectly - overflow
+--FILE--
+<?php
+$a = $b = $c = array(0,1,2,3,4,5);
+print_r($a);
+// this is ok:
+print_r(array_slice($a,2,2147483645));
+
+// this is wrong:
+print_r(array_slice($a,2,2147483646));
+echo 'print_r(array_splice($a,2,1));'."\n";
+print_r(array_splice($a,2,1));
+echo "\$a is :";
+print_r($a);
+echo 'print_r(array_splice($b,2,2147483645));'."\n";
+print_r(array_splice($b,2,2147483645));
+echo "\$b is :";
+print_r($b);
+
+// this is wrong:
+echo 'print_r(array_splice($c,2,2147483646));'."\n";
+print_r(array_splice($c,2,2147483646));
+echo "\$c is :";
+print_r($c);
+?>
+--EXPECT--
+Array
+(
+    [0] => 0
+    [1] => 1
+    [2] => 2
+    [3] => 3
+    [4] => 4
+    [5] => 5
+)
+Array
+(
+    [0] => 2
+    [1] => 3
+    [2] => 4
+    [3] => 5
+)
+Array
+(
+    [0] => 2
+    [1] => 3
+    [2] => 4
+    [3] => 5
+)
+print_r(array_splice($a,2,1));
+Array
+(
+    [0] => 2
+)
+$a is :Array
+(
+    [0] => 0
+    [1] => 1
+    [2] => 3
+    [3] => 4
+    [4] => 5
+)
+print_r(array_splice($b,2,2147483645));
+Array
+(
+    [0] => 2
+    [1] => 3
+    [2] => 4
+    [3] => 5
+)
+$b is :Array
+(
+    [0] => 0
+    [1] => 1
+)
+print_r(array_splice($c,2,2147483646));
+Array
+(
+    [0] => 2
+    [1] => 3
+    [2] => 4
+    [3] => 5
+)
+$c is :Array
+(
+    [0] => 0
+    [1] => 1
+)